Bilyoner mobile apps prone to various SSL/TLS attacks

Type securityvulns
Reporter Securityvulns
Modified 2014-06-14T00:00:00


===================================================================== Sceptive Security Advisory

Synopsis: Bilyoner mobile apps prone to various SSL/TLS attacks Product: Various mobile applications Advisory URL: Advisory number: CVE-2014-3750 Issue date: 2014-04-02 =====================================================================

  1. Summary:

Bilyoner [1] is an online betting platform for various betting options on idda [2] , spor toto [3], milli piyango [4], tjk [5].

We have found that mobile apps vulnerable to SSL/TLS attacks which eventually lets attackers to gain sensitive information and hijack user sessions.

  1. Description:

On misconfigured network environments it is possible to redirect HTTPS packets over MITM tools for SSL sessions.

When we redirected our network on such a configuration we have observed that app sends/receives user data unecrypted.


{ "password": "333444", "sessionId": "9331b4c44edf7c72f4963bc1799416bd071b5eb2aa049ad7ce968b06965f444e", "username": "12312312" }

And also session-id's are vulnerable for attackers to use on their own configurations to hijack other users' sessions. Such as;


{ "bilyonerCookies": {
"JSESSIONID": "RQdFTcnPydRypLXc71kXhYjBtN5p5sGT31GN4hvRlsN8qTz2GQ2T!-1656694263",
"NSC_wtfswfs-ttm": "ffffffffc3a0840e45525d5f4f58455e445a4a423660" },
"bilyonerSessionId": "C1yTTcnP2wSnwyV2gstRkhrsBh8dsqJfvCYBFHqTGvVwhZSYhsJM!-1656694263!1394403087638", "sessionId": "9331b4c44edf7c72f4963bc1799416bd071b5eb2aa049ad7ce968b06965f444e" }

  1. Solution:

For Android apps it's advised to upgrade 2.3.1. For IOS platforms 4.6.2 is available..

  1. Links:

[1] [2] [3] [4] [5]

  1. Contact:

Harun Esur <>

Copyright 2014 Sceptive <>